- The agent loop — call the model, run tools, feed results back, repeat until done.
- Handoffs — route a task to a specialized agent (triage → spend → reporting).
- Guardrails — validate inputs/outputs and bail early on policy violations.
- Sessions, tracing, and human-in-the-loop — pause a run for approval and resume it.
How the pairing works
- Naive’s SDK exposes a small, drop-in toolset via
agentTools()— a discover-then-run meta-toolset (search apps/primitives, then run them) instead of thousands of schemas. - Each Naive tool ships an Anthropic-style
input_schema(plain JSON Schema), and the OpenAI Agents SDK’stool()helper accepts a raw JSON schema directly — so the adapter is a few lines. - Every call stays gated by the user’s Account Kit on Naive’s servers; sensitive actions
resolve to a
pending_approvalpayload.
Tested against:
@usenaive-sdk/server 0.7.x (Naive API v2), @openai/agents 0.11.x
(Agent, run, tool, MCPServerSSE), on Node ≥ 20.tool() accepts a raw JSON schema for parameters; this guide passes Naive’s
input_schema through directly and sets strict: false, because the discover-then-run
tools use optional fields that aren’t strict-mode JSON Schema. Naive re-validates every
call server-side regardless. For the MCP extension this guide uses MCPServerSSE
(Naive’s hosted MCP server speaks SSE). Pin your versions and set model to a model you
have access to.Prerequisites
- A Naive API key (
nv_sk_...) — get one from the dashboard. - An
OPENAI_API_KEYfor the model that runs the agent (the SDK reads it by default). - Node ≥ 20.
Minimal viable integration
The shortest path to an OpenAI Agents SDK agent that can actually transact: define a policy, provision a user, adapt Naive’s tools, and run the agent.Define the policy, then provision a user
An Account Kit is the spend/capability policy. Here a tenant
user gets a card (capped at $500, approval required), the vault, and an allowlist of apps.
Everything the agent does is bounded by this kit — server-side.
Adapt Naive's tools into OpenAI Agents tools
client.agentTools() returns tools as JSON-schema definitions plus a handle(name, input)
dispatcher. The SDK’s tool() takes a raw JSON schema in parameters, so the adapter maps
each Naive tool’s input_schema and routes the executor through handle:naive_search_apps, naive_connect_app,
naive_run_capability, naive_search_primitives, naive_run_primitive, …) — a handful of
tools that reach every app and primitive the kit allows, instead of thousands of schemas.With
strict: false the SDK passes arguments through without local schema validation, but
Naive re-validates every call server-side against the Account Kit — so the model can’t
smuggle out-of-policy arguments past the agent.Build the agent — and let it transact
Hand the adapted tools to an
Agent, then run it. The SDK runs the multi-step loop for
you (call tool → feed result back → continue):- The model discovers GitHub (
naive_connect_app), returns a connect link for Alice to authorize, and attempts to issue the card (naive_run_primitive→cards.create). - The card is a real card on Alice’s account, capped by her kit.
- The whole agent loop is the SDK’s; the real-world actions are Naive’s.
Agent that would otherwise just describe spending
money now issues a policy-bounded card on a specific user’s account.
Extension: human-in-the-loop spend (two gates)
Because the kit setcards.requiresApproval: true, the agent cannot silently spend. Pair
the SDK’s native approval flow with Naive’s server-side gate for defense in depth:
- In the run — mark the spend tool
needsApproval. The SDK pauses the run and returnsinterruptionsbefore that tool executes, so you surface the call for review. - On the server — even if a call gets through, Naive freezes it and returns a pending
approval (HTTP
202) instead of a live card. This holds no matter what runtime calls it.
202 / isPendingApproval payload uses action; approval records from
approvals.list() or approvals.get() use action_type.
Your app then resolves it out of band — and on approval, Naive replays the frozen action
server-side:
isPendingApproval(res), or
poll a single approval to completion with client.approvals.wait(approvalId). See
Approvals for the full lifecycle (pending → executed / failed / denied).
Approvals are only enforced for agent (API-key / MCP) calls on real tenant users. A human
acting in your dashboard, and agent calls on the operator’s own default user, bypass the
gate — so end-user agents stay governed while your own automation isn’t slowed down.
Alternative: hand a scoped MCP session to the agent
If the agent runs somewhere you don’t fully trust (an edge runtime, a third-party host), don’t ship it your API key. Mint a short-lived, per-user MCP session and point anMCPServerSSE at it — the bearer lives only in the request headers and expires.
The SDK auto-discovers Naive’s tools as MCP tools:
- Same Account Kit, same approval gates — just delivered as a remote MCP server instead of in-process tools.
- The session is scoped to one user and expires (default 15 min, max 24h); revoke early with
client.sessions.revoke(session.id).
What stays enforced
No matter which path you choose, the policy is enforced where it matters — on Naive’s servers, not in your prompt or your agent config:- Identity — every action runs as a specific tenant user, fully isolated from your other users.
- Capability bounds — the Account Kit decides which
primitives and which apps the agent can touch (
allowlist/blocklist/ per-tool). - Scoped spend — virtual cards are capped per card and per user; the model can’t raise its own limit.
- Human-in-the-loop — sensitive actions (cards, domains, KYC, formation, connecting an app) freeze as approvals until a human says yes.
Next steps
- SDK overview — the full Naive client surface
- Agent tools — what
agentTools()exposes and howhandle()works - Account Kits — author spend/capability policy
- Approvals — the human-in-the-loop lifecycle
- Sessions — per-user MCP sessions for untrusted runtimes